Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

There is no feature that helps to cancel a given signature

0xbepresent

Summary

The ProxyFactory::deployProxyAndDistributeBySignature() function helps to deploy proxy contract and distribute prize on behalf of organizer. The problem is that there is no implementation that helps to cancel the given signature.

Vulnerability Details

The ProxyFactory::deployProxyAndDistributeBySignature() function helps to deploy proxy contract and distribute prize on behalf of organizer.

The hash contains the next parameters keccak256(abi.encode(contestId, data)) (code line 159) and the data parameter is the distribute selector and the function parameters data = abi.encodeWithSelector(Distributor.distribute.selector, jpycv2Address, winners, percentages_, "");.

File: ProxyFactory.sol

152: function deployProxyAndDistributeBySignature(

153: address organizer,

154: bytes32 contestId,

155: address implementation,

156: bytes calldata signature,

157: bytes calldata data

158: ) public returns (address) {

159: bytes32 digest = _hashTypedDataV4(keccak256(abi.encode(contestId, data)));

160: if (ECDSA.recover(digest, signature) != organizer) revert ProxyFactory__InvalidSignature();

161: bytes32 salt = _calculateSalt(organizer, contestId, implementation);

162: if (saltToCloseTime[salt] == 0) revert ProxyFactory__ContestIsNotRegistered();

163: if (saltToCloseTime[salt] > block.timestamp) revert ProxyFactory__ContestIsNotClosed();

164: address proxy = _deployProxy(organizer, contestId, implementation);

165: _distribute(proxy, data);

166: return proxy;

167: }

The problem is that the sighature can not be cancelled by the organizer therfore the caller can distribute the prizes wrongly. Please see the next scenario:

Organizer creates the signature using the winner1 percentage 90% and winner2 percentage 5%.
The caller waits until the close time is reached. Meanwhile for some reason, the organizer wants to change the winners percentages but since there is no any feature that helps to cancel the signatures, the caller who owns the signature, can still call with the wrong winners.
Caller distributes to undesired winners.

Impact

The signature can not be cancelled by the organizer. There could be situations where the organizer may want to change the winners/percentages before the caller who owns the signature calls distribute function.

Tools used

Manual review

Recommendations

Implements a feature that helps to cancel a given signature by the organizer.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.